xref: /freebsd/sbin/natd/natd.8 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" $FreeBSD$
2.Dd December 10, 2007
3.Dt NATD 8
4.Os
5.Sh NAME
6.Nm natd
7.Nd Network Address Translation daemon
8.Sh SYNOPSIS
9.Nm
10.Bk -words
11.Op Fl unregistered_only | u
12.Op Fl log | l
13.Op Fl proxy_only
14.Op Fl reverse
15.Op Fl deny_incoming | d
16.Op Fl use_sockets | s
17.Op Fl same_ports | m
18.Op Fl verbose | v
19.Op Fl dynamic
20.Op Fl in_port | i Ar port
21.Op Fl out_port | o Ar port
22.Op Fl port | p Ar port
23.Op Fl alias_address | a Ar address
24.Op Fl target_address | t Ar address
25.Op Fl interface | n Ar interface
26.Op Fl proxy_rule Ar proxyspec
27.Op Fl redirect_port Ar linkspec
28.Op Fl redirect_proto Ar linkspec
29.Op Fl redirect_address Ar linkspec
30.Op Fl config | f Ar configfile
31.Op Fl log_denied
32.Op Fl log_facility Ar facility_name
33.Op Fl punch_fw Ar firewall_range
34.Op Fl skinny_port Ar port
35.Op Fl log_ipfw_denied
36.Op Fl pid_file | P Ar pidfile
37.Ek
38.Sh DESCRIPTION
39The
40.Nm
41utility provides a Network Address Translation facility for use
42with
43.Xr divert 4
44sockets under
45.Fx .
46.Pp
47(If you need NAT on a PPP link,
48.Xr ppp 8
49provides the
50.Fl nat
51option that gives most of the
52.Nm
53functionality, and uses the same
54.Xr libalias 3
55library.)
56.Pp
57The
58.Nm
59utility normally runs in the background as a daemon.
60It is passed raw IP packets as they travel into and out of the machine,
61and will possibly change these before re-injecting them back into the
62IP packet stream.
63.Pp
64It changes all packets destined for another host so that their source
65IP address is that of the current machine.
66For each packet changed in this manner, an internal table entry is
67created to record this fact.
68The source port number is also changed to indicate the table entry
69applying to the packet.
70Packets that are received with a target IP of the current host are
71checked against this internal table.
72If an entry is found, it is used to determine the correct target IP
73address and port to place in the packet.
74.Pp
75The following command line options are available:
76.Bl -tag -width Fl
77.It Fl log | l
78Log various aliasing statistics and information to the file
79.Pa /var/log/alias.log .
80This file is truncated each time
81.Nm
82is started.
83.It Fl deny_incoming | d
84Do not pass incoming packets that have no
85entry in the internal translation table.
86.Pp
87If this option is not used, then such a packet will be altered
88using the rules in
89.Fl target_address
90below, and the entry will be made in the internal translation table.
91.It Fl log_denied
92Log denied incoming packets via
93.Xr syslog 3
94(see also
95.Fl log_facility ) .
96.It Fl log_facility Ar facility_name
97Use specified log facility when logging information via
98.Xr syslog 3 .
99Argument
100.Ar facility_name
101is one of the keywords specified in
102.Xr syslog.conf 5 .
103.It Fl use_sockets | s
104Allocate a
105.Xr socket 2
106in order to establish an FTP data or IRC DCC send connection.
107This option uses more system resources, but guarantees successful
108connections when port numbers conflict.
109.It Fl same_ports | m
110Try to keep the same port number when altering outgoing packets.
111With this option, protocols such as RPC will have a better chance
112of working.
113If it is not possible to maintain the port number, it will be silently
114changed as per normal.
115.It Fl verbose | v
116Do not call
117.Xr daemon 3
118on startup.
119Instead, stay attached to the controlling terminal and display all packet
120alterations to the standard output.
121This option should only be used for debugging purposes.
122.It Fl unregistered_only | u
123Only alter outgoing packets with an
124.Em unregistered
125source address.
126According to RFC 1918, unregistered source addresses are 10.0.0.0/8,
127172.16.0.0/12 and 192.168.0.0/16.
128.It Fl redirect_port Ar proto Xo
129.Ar targetIP Ns : Ns Xo
130.Ar targetPORT Ns Op - Ns Ar targetPORT Xc
131.Op Ar aliasIP Ns : Ns Xo
132.Ar aliasPORT Ns Op - Ns Ar aliasPORT Xc
133.Oo Ar remoteIP Ns Oo : Ns
134.Ar remotePORT Ns Op - Ns Ar remotePORT
135.Oc Oc
136.Xc
137Redirect incoming connections arriving to given port(s) to another host
138and port(s).
139Argument
140.Ar proto
141is either
142.Ar tcp
143or
144.Ar udp ,
145.Ar targetIP
146is the desired target IP address,
147.Ar targetPORT
148is the desired target port number or range,
149.Ar aliasPORT
150is the requested port number or range, and
151.Ar aliasIP
152is the aliasing address.
153Arguments
154.Ar remoteIP
155and
156.Ar remotePORT
157can be used to specify the connection more accurately if necessary.
158If
159.Ar remotePORT
160is not specified, it is assumed to be all ports.
161.Pp
162Arguments
163.Ar targetIP , aliasIP
164and
165.Ar remoteIP
166can be given as IP addresses or as hostnames.
167The
168.Ar targetPORT , aliasPORT
169and
170.Ar remotePORT
171ranges need not be the same numerically, but must have the same size.
172When
173.Ar targetPORT , aliasPORT
174or
175.Ar remotePORT
176specifies a singular value (not a range), it can be given as a service
177name that is searched for in the
178.Xr services 5
179database.
180.Pp
181For example, the argument
182.Pp
183.Dl Ar tcp inside1:telnet 6666
184.Pp
185means that incoming TCP packets destined for port 6666 on this machine
186will be sent to the telnet port on the inside1 machine.
187.Pp
188.Dl Ar tcp inside2:2300-2399 3300-3399
189.Pp
190will redirect incoming connections on ports 3300-3399 to host
191inside2, ports 2300-2399.
192The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc.
193.It Fl redirect_proto Ar proto localIP Oo
194.Ar publicIP Op Ar remoteIP
195.Oc
196Redirect incoming IP packets of protocol
197.Ar proto
198(see
199.Xr protocols 5 )
200destined for
201.Ar publicIP
202address to a
203.Ar localIP
204address and vice versa.
205.Pp
206If
207.Ar publicIP
208is not specified, then the default aliasing address is used.
209If
210.Ar remoteIP
211is specified, then only packets coming from/to
212.Ar remoteIP
213will match the rule.
214.It Fl redirect_address Ar localIP publicIP
215Redirect traffic for public IP address to a machine on the local
216network.
217This function is known as
218.Em static NAT .
219Normally static NAT is useful if your ISP has allocated a small block
220of IP addresses to you, but it can even be used in the case of single
221address:
222.Pp
223.Dl Ar redirect_address 10.0.0.8 0.0.0.0
224.Pp
225The above command would redirect all incoming traffic
226to machine 10.0.0.8.
227.Pp
228If several address aliases specify the same public address
229as follows
230.Bd -literal -offset indent
231redirect_address 192.168.0.2 public_addr
232redirect_address 192.168.0.3 public_addr
233redirect_address 192.168.0.4 public_addr
234.Ed
235.Pp
236the incoming traffic will be directed to the last
237translated local address (192.168.0.4), but outgoing
238traffic from the first two addresses will still be aliased
239to appear from the specified
240.Ar public_addr .
241.It Fl redirect_port Ar proto Xo
242.Ar targetIP Ns : Ns Xo
243.Ar targetPORT Ns Oo , Ns
244.Ar targetIP Ns : Ns Xo
245.Ar targetPORT Ns Oo , Ns
246.Ar ...\&
247.Oc Oc
248.Xc
249.Xc
250.Op Ar aliasIP Ns : Ns Xo
251.Ar aliasPORT
252.Xc
253.Oo Ar remoteIP Ns
254.Op : Ns Ar remotePORT
255.Oc
256.Xc
257.It Fl redirect_address Xo
258.Ar localIP Ns Oo , Ns
259.Ar localIP Ns Oo , Ns
260.Ar ...\&
261.Oc Oc
262.Ar publicIP
263.Xc
264These forms of
265.Fl redirect_port
266and
267.Fl redirect_address
268are used to transparently offload network load on a single server and
269distribute the load across a pool of servers.
270This function is known as
271.Em LSNAT
272(RFC 2391).
273For example, the argument
274.Pp
275.Dl Ar tcp www1:http,www2:http,www3:http www:http
276.Pp
277means that incoming HTTP requests for host www will be transparently
278redirected to one of the www1, www2 or www3, where a host is selected
279simply on a round-robin basis, without regard to load on the net.
280.It Fl dynamic
281If the
282.Fl n
283or
284.Fl interface
285option is used,
286.Nm
287will monitor the routing socket for alterations to the
288.Ar interface
289passed.
290If the interface's IP address is changed,
291.Nm
292will dynamically alter its concept of the alias address.
293.It Fl in_port | i Ar port
294Read from and write to
295.Xr divert 4
296port
297.Ar port ,
298treating all packets as
299.Dq incoming .
300.It Fl out_port | o Ar port
301Read from and write to
302.Xr divert 4
303port
304.Ar port ,
305treating all packets as
306.Dq outgoing .
307.It Fl port | p Ar port
308Read from and write to
309.Xr divert 4
310port
311.Ar port ,
312distinguishing packets as
313.Dq incoming
314or
315.Dq outgoing
316using the rules specified in
317.Xr divert 4 .
318If
319.Ar port
320is not numeric, it is searched for in the
321.Xr services 5
322database.
323If this option is not specified, the divert port named
324.Ar natd
325will be used as a default.
326.It Fl alias_address | a Ar address
327Use
328.Ar address
329as the aliasing address.
330Either this or the
331.Fl interface
332option must be used (but not both),
333if the
334.Fl proxy_only
335option is not specified.
336The specified address is usually the address assigned to the
337.Dq public
338network interface.
339.Pp
340All data passing
341.Em out
342will be rewritten with a source address equal to
343.Ar address .
344All data coming
345.Em in
346will be checked to see if it matches any already-aliased outgoing
347connection.
348If it does, the packet is altered accordingly.
349If not, all
350.Fl redirect_port ,
351.Fl redirect_proto
352and
353.Fl redirect_address
354assignments are checked and actioned.
355If no other action can be made and if
356.Fl deny_incoming
357is not specified, the packet is delivered to the local machine
358using the rules specified in
359.Fl target_address
360option below.
361.It Fl t | target_address Ar address
362Set the target address.
363When an incoming packet not associated with any pre-existing link
364arrives at the host machine, it will be sent to the specified
365.Ar address .
366.Pp
367The target address may be set to
368.Ar 255.255.255.255 ,
369in which case all new incoming packets go to the alias address set by
370.Fl alias_address
371or
372.Fl interface .
373.Pp
374If this option is not used, or called with the argument
375.Ar 0.0.0.0 ,
376then all new incoming packets go to the address specified in
377the packet.
378This allows external machines to talk directly to internal machines if
379they can route packets to the machine in question.
380.It Fl interface | n Ar interface
381Use
382.Ar interface
383to determine the aliasing address.
384If there is a possibility that the IP address associated with
385.Ar interface
386may change, the
387.Fl dynamic
388option should also be used.
389If this option is not specified, the
390.Fl alias_address
391option must be used.
392.Pp
393The specified
394.Ar interface
395is usually the
396.Dq public
397(or
398.Dq external )
399network interface.
400.It Fl config | f Ar file
401Read configuration from
402.Ar file .
403A
404.Ar file
405should contain a list of options, one per line, in the same form
406as the long form of the above command line options.
407For example, the line
408.Pp
409.Dl alias_address 158.152.17.1
410.Pp
411would specify an alias address of 158.152.17.1.
412Options that do not take an argument are specified with an argument of
413.Ar yes
414or
415.Ar no
416in the configuration file.
417For example, the line
418.Pp
419.Dl log yes
420.Pp
421is synonymous with
422.Fl log .
423.Pp
424Options can be divided to several sections.
425Each section applies to own
426.Nm
427instance.
428This ability allows to configure one
429.Nm
430process for several NAT instances.
431The first instance that always exists is a "default" instance.
432Each another instance should begin with
433.Pp
434.Dl instance Ar instance_name
435.Pp
436At the next should be placed a configuration option.
437Example:
438.Pp
439.Dl \&# default instance
440.Dl port 8668
441.Dl alias_address 158.152.17.1
442.Pp
443.Dl \&# second instance
444.Dl instance dsl1
445.Dl port 8888
446.Dl alias_address 192.168.0.1
447.Pp
448Trailing spaces and empty lines are ignored.
449A
450.Ql \&#
451sign will mark the rest of the line as a comment.
452.It Fl reverse
453This option makes
454.Nm
455reverse the way it handles
456.Dq incoming
457and
458.Dq outgoing
459packets, allowing it to operate on the
460.Dq internal
461network interface rather than the
462.Dq external
463one.
464.Pp
465This can be useful in some transparent proxying situations
466when outgoing traffic is redirected to the local machine
467and
468.Nm
469is running on the internal interface (it usually runs on the
470external interface).
471.It Fl proxy_only
472Force
473.Nm
474to perform transparent proxying only.
475Normal address translation is not performed.
476.It Fl proxy_rule Xo
477.Op Ar type encode_ip_hdr | encode_tcp_stream
478.Ar port xxxx
479.Ar server a.b.c.d:yyyy
480.Xc
481Enable transparent proxying.
482Outgoing TCP packets with the given port going through this
483host to any other host are redirected to the given server and port.
484Optionally, the original target address can be encoded into the packet.
485Use
486.Ar encode_ip_hdr
487to put this information into the IP option field or
488.Ar encode_tcp_stream
489to inject the data into the beginning of the TCP stream.
490.It Fl punch_fw Xo
491.Ar basenumber Ns : Ns Ar count
492.Xc
493This option directs
494.Nm
495to
496.Dq punch holes
497in an
498.Xr ipfirewall 4
499based firewall for FTP/IRC DCC connections.
500This is done dynamically by installing temporary firewall rules which
501allow a particular connection (and only that connection) to go through
502the firewall.
503The rules are removed once the corresponding connection terminates.
504.Pp
505A maximum of
506.Ar count
507rules starting from the rule number
508.Ar basenumber
509will be used for punching firewall holes.
510The range will be cleared for all rules on startup.
511.It Fl skinny_port Ar port
512This option allows you to specify the TCP port used for
513the Skinny Station protocol.
514Skinny is used by Cisco IP phones to communicate with
515Cisco Call Managers to set up voice over IP calls.
516By default, Skinny aliasing is not performed.
517The typical port value for Skinny is 2000.
518.It Fl log_ipfw_denied
519Log when a packet cannot be re-injected because an
520.Xr ipfw 8
521rule blocks it.
522This is the default with
523.Fl verbose .
524.It Fl pid_file | P Ar file
525Specify an alternate file in which to store the process ID.
526The default is
527.Pa /var/run/natd.pid .
528.El
529.Sh RUNNING NATD
530The following steps are necessary before attempting to run
531.Nm :
532.Bl -enum
533.It
534Build a custom kernel with the following options:
535.Bd -literal -offset indent
536options IPFIREWALL
537options IPDIVERT
538.Ed
539.Pp
540Refer to the handbook for detailed instructions on building a custom
541kernel.
542.It
543Ensure that your machine is acting as a gateway.
544This can be done by specifying the line
545.Pp
546.Dl gateway_enable=YES
547.Pp
548in the
549.Pa /etc/rc.conf
550file or using the command
551.Pp
552.Dl "sysctl net.inet.ip.forwarding=1"
553.Pp
554.It
555If you use the
556.Fl interface
557option, make sure that your interface is already configured.
558If, for example, you wish to specify
559.Ql tun0
560as your
561.Ar interface ,
562and you are using
563.Xr ppp 8
564on that interface, you must make sure that you start
565.Nm ppp
566prior to starting
567.Nm .
568.El
569.Pp
570Running
571.Nm
572is fairly straight forward.
573The line
574.Pp
575.Dl natd -interface ed0
576.Pp
577should suffice in most cases (substituting the correct interface name).
578Please check
579.Xr rc.conf 5
580on how to configure it to be started automatically during boot.
581Once
582.Nm
583is running, you must ensure that traffic is diverted to
584.Nm :
585.Bl -enum
586.It
587You will need to adjust the
588.Pa /etc/rc.firewall
589script to taste.
590If you are not interested in having a firewall, the
591following lines will do:
592.Bd -literal -offset indent
593/sbin/ipfw -f flush
594/sbin/ipfw add divert natd all from any to any via ed0
595/sbin/ipfw add pass all from any to any
596.Ed
597.Pp
598The second line depends on your interface (change
599.Ql ed0
600as appropriate).
601.Pp
602You should be aware of the fact that, with these firewall settings,
603everyone on your local network can fake his source-address using your
604host as gateway.
605If there are other hosts on your local network, you are strongly
606encouraged to create firewall rules that only allow traffic to and
607from trusted hosts.
608.Pp
609If you specify real firewall rules, it is best to specify line 2 at
610the start of the script so that
611.Nm
612sees all packets before they are dropped by the firewall.
613.Pp
614After translation by
615.Nm ,
616packets re-enter the firewall at the rule number following the rule number
617that caused the diversion (not the next rule if there are several at the
618same number).
619.It
620Enable your firewall by setting
621.Pp
622.Dl firewall_enable=YES
623.Pp
624in
625.Pa /etc/rc.conf .
626This tells the system startup scripts to run the
627.Pa /etc/rc.firewall
628script.
629If you do not wish to reboot now, just run this by hand from the console.
630NEVER run this from a remote session unless you put it into the background.
631If you do, you will lock yourself out after the flush takes place, and
632execution of
633.Pa /etc/rc.firewall
634will stop at this point - blocking all accesses permanently.
635Running the script in the background should be enough to prevent this
636disaster.
637.El
638.Sh SEE ALSO
639.Xr libalias 3 ,
640.Xr divert 4 ,
641.Xr protocols 5 ,
642.Xr rc.conf 5 ,
643.Xr services 5 ,
644.Xr syslog.conf 5 ,
645.Xr ipfw 8 ,
646.Xr ppp 8
647.Sh AUTHORS
648This program is the result of the efforts of many people at different
649times:
650.Pp
651.An Archie Cobbs Aq archie@FreeBSD.org
652(divert sockets)
653.An Charles Mott Aq cm@linktel.net
654(packet aliasing)
655.An Eivind Eklund Aq perhaps@yes.no
656(IRC support & misc additions)
657.An Ari Suutari Aq suutari@iki.fi
658(natd)
659.An Dru Nelson Aq dnelson@redwoodsoft.com
660(early PPTP support)
661.An Brian Somers Aq brian@awfulhak.org
662(glue)
663.An Ruslan Ermilov Aq ru@FreeBSD.org
664(natd, packet aliasing, glue)
665